A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

TOP VULNERABILITY THIS WEEK: A major information disclosure
vulnerability impacting users of the popular W3 TotalCache for Wordpress
plugin was announced this week, with all files touched by the caching
server being publicly available on the Internet by default with no
authentication. The author of the plugin is currently working on a fix,
but administrators can take simple action in the interim to reduce their
exposure.

============================================================

TRAINING UPDATE

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data
Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your
Friends and Neighbors for Fun. Special Event: NetWars Tournament of
Champions.http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems
engineers, IT security professionals and critical infrastructure
protection specialists from asset owning and operating organizations
along with control systems and security vendors who have innovative
solutions for improving security. The Security Summit is an action
conference designed so that every attendee leaves with new tools and
techniques they can put to work immediately when they return to their
office. The Summit is the place to come and interact with top SCADA
experts, key government personnel, researchers and asset owners at the
multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.http://www.sans.org/event/north-american-scada-2013

Title: Wordpress W3 TotalCache Information disclosure
Description: A security researcher has discovered that, by default, the
popular W3 TotalCache plugin for Wordpress leaves cache files in
directories readable by the web server, with indexing enabled. That
allows for trivial web searches of all cached files of impacted servers,
including database session information, password-restricted data, etc.
At the time of writing, approximately 1.19 million results were returned
with appropriate Google searches, demonstrating the scope of the issue.
Impacted administrators should immediately disable indexing on all W3
TotalCache directories, and look for a patch that the author of the
product is currently working on.
Reference:http://seclists.org/fulldisclosure/2012/Dec/242http://wordpress.org/extend/plugins/w3-total-cache/
Snort SID: 25120
ClamAV: N/A

Title: NVidia Display Driver "Christmas 0-day"
Description: Proving that information security never sleeps, a security
researcher in the UK released exploit code for a new NVidia display
driver on PasteBin on Christmas Day. While the has stated on this
Twitter feed that it is likely "not wormable", the issue is clearly
serious, and is likely to be addressed directly by NVidia soon. As the
exploit uses an SMB pipe, in the interim concerned users should ensure
that they are using a firewall to protect their systems from as much
exposure to Windows SMB protocols as possible without impacting
business.
Reference: http://pastebin.com/QP7eZaJt
Snort SID: N/A
ClamAV: N/A

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

(c) 2012. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
https://www.sans.org/account